1、附录 一、英文原文 A New Virtual Prevate Network for Todays Mobile World Karen Heyman Virtual private networks were a critical technology for turning the Internet into an important business tool. Todays VPNs establish secure connections between a remote user and a corporate or other network via the encryptio
2、n of packets sent through the Internet, rather than an expensive private network. However, they traditionally have linked only a relatively few nodes that a companys IT department controls and congures. This is not adequate for the many organizations that now must let managers, employees, partners,
3、suppliers, consultants, ecommerce customers, and others access networks from their own PCs, laptops, publicly available computers like those at airport kiosks, and even mobile devices, many not controlled by the organization. VPNs based on Internet Protocol security (IPsec) technology were not desig
4、ned for and are not well-suited for such uses. Instead of restricting remote users who should not have access to many parts of a company network, explained Graham Titterington, principal analyst with market-research firm Ovum, IPsec generally connects users into a network and gives the same sort of
5、access they would have if they were physically on the LAN. Organizations are thus increasingly adopting VPNs based on Secure Sockets Layer technology from vendors such as Aventail, Cisco Systems, F5 Networks, Juniper Networks, and Nortel Networks. SSL VPNs enable relatively easy deployment, added Ch
6、ris Silva, an analyst at Forrester Research, a market-researchrm. A company can install the VPN at its head quarters and push any necessary software to users, who then access the network via their browsers, he explained. Organizations thus do not have to manage, update, or buy licenses for multiple
7、clients, yielding lower costs, less maintenance and support, and greater simplicity than IPsec VPNs,Silva said. From a remote-access perspective, IPsec is turning into a legacy technology, said Rich Campagna, Juniper SSL VPN product manager Nonetheless, IPsec VPNs are still preferable for some uses,
8、 such as linking a remote, company-controlled node, perhaps in a branch ofce, with the corporate network. Both VPN flavors are likely to continue to ourish, with the choice Published by the IEEE Computer Society An early attempt to create a VPN over the Internet used multiprotocol label switching, w
9、hich adds labels to packets to designate their network path. In essence, all packets in a data set travel through designated tunnels to their destinations. However, MPLS VPNs dont encrypt data. IPsec and SSL VPNs, on the other hand, use encrypted packets with cryptographic keys exchanged between sen
10、der and receiver over the public Internet. Once encrypted, the data can take any route over the Internet to reach its nal destination. There is no dedicated pathway. US Defense Department contractors began using this technique as far back as the late 1980s, according to Paul Hoffman, director of the
11、 VPN Consortium (www.vpnc.org). Introducing IPsec Vendors initially used proprietary and other forms of encryption with their VPNs. However, to establish a standard way to create interoperable VPNs, many vendors moved to IPsec, which the Internet Engineering Task Force (IETF) adopted in 1998. With I
12、Psec, a computer sends a request for data from a server through a gateway, acting essentially as a router, at the edge of its network. The gateway encrypts the data and sends it over the Internet. The receiving gateway queries the incoming packets, authenticates the senders identity and designated n
13、etwork-access level, and if everything checks out, admits and decrypts the information. Both the transmitter and receiver must support IPsec and share a public encryption key for authentication. December 2007 17 Firewall Terminal services Decrypted traffic File and media server Internet SSL encrypte
14、d Remote user: traffic Business partner Kiosk user Temporary staff Traveling staff Telecommuter Desktop SSL VPN: Authentication Authorization Decryption Integrity check Web proxy Web server E-mail server Figure 1. In an SSL VPN, a remote user logs in to a dedicated Web site to access a companys netw
15、ork. The users browser initiates the session with a corporate server or desktop computer, which downloads the necessary software to the client. The software uses SSL for encrypting the transmitted data. At the corporate site, the VPN system authenticates users, determines what level of network acces
16、s they should have, and if everything checks out, decrypts the data and sends it to the desired destination.Unlike SSL, IPsec is implemented as a full application installed on the client. And it doesnt take advantage of existing browser code. IPsec limitations According to Forresters Silva, corporat
17、e IT departments increasingly need to let remote users connect to enterprise networks, which is challenging with IPsec. The normal practice of conguring IPsec VPNs to allow full access to a network can create vulnerabilities. To avoid this, administrators would have to configure them to permit acces
18、s only to parts of a network, according to Peter Silva, technical marketing manager for F5 Networks SSL VPNs. IPsec VPNs also have trouble letting certain traffic transverse firewalls, he explained. This isnt usually a problem, as most companies have the same basic ports open both inbound and outbou
19、nd. However, it is possible that one company would let trafc out over a port that another doesnt leave open for inbound data. By contrast, the vast majority of companies have port 80 (dedicated) Computer Open inbound and outbound, so crossing ?rewalls is rarely a problem for SSL VPNs, which are Web-
20、based. IPsec VPNs are full programs and thus are large, generally 6 to 8 megabytes. This means they download more slowly and dont always work well on smaller devices. ENTER THE SSL VPN The first SSL VPN vendor was Neoteris, purchased in 2003 by NetScreen, which Juniper bought the next year, according to Junipers Campagna. SSL Netscape Communications developed SSL and released therst public version in 1994. The IETF adopted the technology as a standard in 1999, naming it Transport Layer Security. However, most users still call it SSL. The technology, which offers
